summaryrefslogtreecommitdiffstats
path: root/src/plugins/preauth/pkinit/pkinit.h
Commit message (Collapse)AuthorAgeFilesLines
* Include autoconf.h before system headersGreg Hudson2014-07-081-2/+1
| | | | | | | | | Include autoconf.h (either directly or via proxy) before system headers, so that feature test macros defined there can affect the system namespace. Where include order was changed, eliminate some redundant or unnecessary includes. ticket: 7961
* Remove pkinit_win2k_require_binding optionGreg Hudson2014-06-131-2/+0
| | | | | | | | | | | | When constructing a draft9 PKINIT request, always include KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack. Do not accept a draft9 ReplyKeyPack in the KDC response. For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC support for generating a draft9 ReplyKeyPack when a draft9 PKINIT request does not contain KRB5_PADATA_AS_CHECKSUM. ticket: 7933
* Remove PKINIT longhorn compatibility optionGreg Hudson2014-06-121-15/+0
| | | | | | | | Remove the PKINIT Windows Server 2008 beta compatibility code conditionalized under the "longhorn" variable. It is not required to interoperate with any released version of Windows. ticket: 7934 (new)
* Remove stub pkinit_win2k codeGreg Hudson2014-06-111-2/+0
| | | | | | As contributed, the PKINIT module contained code to read the pkinit_win2k variable, but never used it. Get rid of the structure field and the code to populate it.
* Remove stub pkinit_mapping_file codeGreg Hudson2014-06-031-2/+0
| | | | | | As contributed, the PKINIT code contained code to read a mapping filename, but never used the resulting structure variable. Get rid of the structure field and the code to populate it.
* Improve PKINIT client memory managementGreg Hudson2014-03-181-2/+0
| | | | | | | | | | | | | | | | In pkinit_as_req_create, create and encode stack-allocated auth-pack structures containing only alias pointers, instead of heap-allocated structures containing a mix of alias pointers, owner pointers, and appropriated caller memory. Keep everything we temporarily allocate in separate local variables and free them through those variables. In pa_pkinit_gen_req, use safer memory practices to avoid problems like issue #7878. Free the checksum since pkinit_as_req_create no longer takes ownership it. Remove a broken overly defensive check after calling pkinit_as_req_create. Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are no longer required.
* Pass PKINIT identity prompts to the responder cbNalin Dahyabhai2013-07-171-0/+3
| | | | | | | | | | | | | | | | | Use the list of deferred identity prompts and warnings, which we have after calling pkinit_identity_initialize(), to build a list of questions to supply to responder callbacks. Before calling pkinit_identity_prompt() to actually load identities that are protected, save any passwords and PINs which a responder callback may have supplied. Because pkinit_client_prep_questions() can be called multiple times, and we don't want to try to load all of our identities each of those times, take some steps to ensure that we only call pkinit_identity_initialize() and pkinit_identity_prompt() once per request. ticket: 7680
* Add support for PKINIT deferring identity promptsNalin Dahyabhai2013-07-171-0/+21
| | | | | | | | | | | Learn to manage a list of deferred identities, for which we want to prompt for passwords or PINs, in pkinit_identity_crypto_context structures, along with their associated token flags. These are opaque outside of pkinit_crypto_openssl and pkinit_crypto_nss, so both implementations need to provide wrapper functions that can be called from elsewhere in the module to populate and query the lists. ticket: 7680
* Split pkinit_identity_initialize into two phasesNalin Dahyabhai2013-07-171-0/+10
| | | | | | | | | | | Split part of pkinit_identity_initialize() into a second piece named pkinit_identity_prompt(). Have each piece pass a new boolean flag to crypto_load_certs() to indicate if it should defer prompting for a password/PIN for client identities that require one. If the flag isn't set, then crypto_load_certs() should attempt to use a responder-supplied value, or call the prompter if there isn't one. ticket: 7680
* Allow config of dh_min_bits < 2048Tom Yu2013-04-121-0/+1
| | | | | | | | | | Allow configuration to override the default dh_min_bits of 2048 to 1024. Disallow configuration of dh_min_bits < 1024, but continue to default to 2048. ticket: 7602 target_version: 1.11.3 tags: pullup
* Use config storage for client identity selectionNalin Dahyabhai2012-10-171-0/+3
| | | | | | | | * Keep track of the names of client identities when we load them. * Store the client identity we just used when we create or retry a client request. * If we read a client identity from the configuration, treat it like the KDC does: pick the "this is it, there is no other" logic branch.
* First pass at PKINIT client trace logsGreg Hudson2012-05-081-0/+1
| | | | | | Trace basic decisions about PKINIT client protocol processing. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25855 dc483132-0cff-0310-8789-dd5450dbe970
* Minimize draft9 PKINIT code by removing dead codeGreg Hudson2012-02-111-1/+0
| | | | | | | | | | | | | | | | The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9, which is fortunate because it doesn't work (see issue #7072). Instead, it passes both kinds of PKINIT replies through decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack. So, remove the unused broken pa_pk_as_rep_draft9 decoder. For pa_pk_as_req_draft9, we only use two of the fields on encode and only one of those on decode. So, get rid of the unused fields and the krb5_trusted_ca structure, and reduce the encoder and decoder sequences to the minimum necessary fields. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_typed_data structure typeGreg Hudson2011-12-211-1/+0
| | | | | | | | | | | | Use the krb5_pa_data structure type when encoding or decoding TYPED-DATA. Leave the krb5_typed_data structure definition in krb5.h with a comment saying not to use it. Remove krb5_free_typed_data (which was never declared in krb5.h). Remove some vestigial accessor stuff related to PKINIT encoding and decoding TYPED-DATA, which was unneeded since r25483. Bump the accessor structure version to 19 accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25601 dc483132-0cff-0310-8789-dd5450dbe970
* Stop using krb5_octet_dataGreg Hudson2011-12-211-2/+2
| | | | | | | | For consistency with the rest of the code base, make PKINIT use krb5_data as a pointer/length container. Leave krb5_octet_data and krb5_free_octet_data behind for API compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25600 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT NSS supportGreg Hudson2011-10-131-0/+1
| | | | | | | | | Add an implementation of PKINIT using NSS instead of OpenSSL, from nalin@redhat.com. ticket: 6975 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25327 dc483132-0cff-0310-8789-dd5450dbe970
* Create e_data as pa_data in KDC interfacesGreg Hudson2011-10-041-1/+0
| | | | | | | | | | | | All current known uses of e_data are encoded as pa-data or typed-data. FAST requires that e_data be expressed as pa-data. Change the DAL and kdcpreauth interfaces so that e_data is returned as a sequence of pa-data elements. Add a preauth module flag to indicate that the sequence should be encoded as typed-data in non-FAST errors. ticket: 6969 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970
* Formatting fixesGreg Hudson2011-09-191-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25209 dc483132-0cff-0310-8789-dd5450dbe970
* pkinit: client: Use SignedData for anonymousSam Hartman2011-09-191-1/+2
| | | | | | | | | Per RFc 6112 use SignedData not ContentInfo for anonymous when the KDC offers support for PKINIT_KX padata. ticket: 6962 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25186 dc483132-0cff-0310-8789-dd5450dbe970
* Fix pkinit warningsSam Hartman2011-09-191-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25185 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-101-0/+1
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-311-6/+6
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Minor code cleanups in pkinit plugin, mostly around malloc/freeGreg Hudson2009-08-181-2/+2
| | | | | | invocations. No functional changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22534 dc483132-0cff-0310-8789-dd5450dbe970
* Remove pkinit_identity_process_option, which wasn't doing anythingGreg Hudson2009-08-101-7/+0
| | | | | | | | besides picking a subsidiary function based on the (constant) input argument. Remove the associated constants from pkinit.h as well. No functional change. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22512 dc483132-0cff-0310-8789-dd5450dbe970
* Revert r21880 which included k5-int.h in several pkinit source files.Greg Hudson2009-03-241-0/+20
| | | | | | | | Instead, move the pkinit-specific KRB5_CONF macros to pkinit.h, and add duplicate definitions of the non-pkinit-specific macros used by the pkinit code. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22113 dc483132-0cff-0310-8789-dd5450dbe970
* Add PKINIT supportKevin Coffman2007-08-011-0/+354
Pull up PKINIT support onto the trunk. Changes from the version in branch users/coffman/pkinit are: - Update the preauth plugin interface version to avoid conflict with any existing plugins. - Add a pkcs11.h locally to the pkinit code rather than depending on opensc being installed. ticket: new Target_Version: 1.6.3 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19745 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-25 06:35:52 +0000